If there are four words e-commerce can always live by they are these: Never Get Too Comfortable.
That applies as readily to online consumers as it does to Internet merchants. Fresh evidence of the importance of this unwritten rule came to light on when it was reported that computer security expert David Devitry found a hole in Citibank’s Internet payment program, C2it.com.
According to Devitry, clever hackers could access account numbers and transfer money from C2it.com customers’ credit card and bank accounts. More ambitious hackers could access entire lists of credit card numbers.
In fact, Devitry maintains a Web site, that provides alerts to consumers of sites that are guilty of “cross-site scripting,” a procedure that allows even moderately intelligent hackers to access individual consumers’ personal data.
As long ago as February 2000, the CERT Coordination Center, a non-academic unit of Carnegie Mellon University devoted to reporting Internet security problems, issued a warning about cross-site scripting, concluding that it was a fixable problem.
That being the case, why do so many high profile Web sites still have the same vulnerability that Devitry reported on C2it.com this week?
Devitry’s current list of sites that he says have cross-site scripting security holes includes such familiar names as EBay, Oracle, Netscape, About.com, and CNET, among others.
Among the sites that Devitry says found their cross-site scripting problem and fixed it are C2it.com competitor PayPal, and X10.com, which ironically bills itself as “Your Home Automation, Entertainment and Security Supersite.”
A careful reading of CERT’s nearly two-year-old warning indicates that not only is this problem avoidable, but fixing it is probably not all that complex.
Each of the above-listed vulnerable sites evidently knows the cross-site scripting problem exists, but apparently they have yet to take the necessary steps to completely rectify the problem to Devitry’s satisfaction.
Trust Is Key
The impact of such widely-used and high-profile Web sites ignoring security holes could be far-reaching.
While shoppers logged on in record numbers this holiday season to buy gifts, the chief task for e-commerce sites right now is managing and retaining the consumer base. That includes ensuring the security and safety of online shopping.
A site such as C2it.com, where the main function is simply providing an online payment system, should be especially vigilant about possible security holes.
After all, if a novice online consumer gets burned on a Web site that is supposed to be helping him or her manage cash exchanges, it is possible that consumer’s trust in online transactions will be irretrievably lost.
The key word there is trust. So far, survey after survey still indicates consumers are not convinced about the validity of online security.
While cross-site scripting is clearly more common than most consumers realize, it is certainly not the only security problem facing online shoppers.
Late last year, Playboy.com, for example, sent an e-mail to its customers encouraging them to contact their credit card companies to check for unauthorized charges. This followed the company’s discovery that hackers had infiltrated its system and possibly lifted some credit card numbers.
Also, a few months back, Microsoft’s Hotmail.com was the victim of a hacker who exposed people’s private e-mail. That incident followed other well-publicized Microsoft security holes, including various problems with Outlook e-mail, the Windows operating system and Internet Explorer.
It seems the bigger the company, the more hackers focus on it.
That brings us back to our original premise: Never Get Too Comfortable.
Fraud is alive and well, and some e-commerce companies are not taking it seriously enough until it is too late.
Remember Flooz.com, the online currency company? In bankruptcy papers, the company claimed online fraud played a major role in its demise.
If online merchants expect longevity and prosperity, now is the time to find vulnerabilities and repair them. Just ask David Devitry.
What do you think? Let’s talk about it.
Note: The opinions expressed by our columnists are their own and do not necessarily reflect the views of the E-Commerce Times or its management.
Hey everyone. I just wanted to clarify one thing about the c2it hole. It’s a front end attack where there are three parties involved ( attacker, c2it.com, and a c2it user ). The attacker send a script to the user, which can then accesses their c2it account. The script, which runs on the c2it site, could then have transfered money or accessed that users account information.
The statement “More ambitious hackers could access entire lists of credit card numbers. ” it a little overstated. The “entire list” is only the list of credit card numbers that the attacked user has on their account, not all the credit card numbers in the c2it system.